CVE-2010-1157

Apache Tomcat 5.5.0 through 5.5.29 and 6.0.0 through 6.0.26 might allow remote attackers to discover the server's hostname or IP address by sending a request for a resource that requires (1) BASIC or (2) DIGEST authentication, and then reading the realm field in the WWW-Authenticate header in the reply.

Published Bysecalert@redhat.com

Published DateApr 23, 2010, 14:30

Affected Versions(2)

org.apache.tomcat:tomcat(Maven)

Introduced5.5.0

Fixed5.5.30

LimitN/A

org.apache.tomcat:tomcat(Maven)

Introduced6.0.0

Fixed6.0.28

LimitN/A

Package (Ecosystem)	Introduced	Fixed	Limit
org.apache.tomcat:tomcat(Maven)	5.5.0	5.5.30	N/A
org.apache.tomcat:tomcat(Maven)	6.0.0	6.0.28	N/A

Weakness Type (CWE):CWE-200

CVSS Metrics

Base Score

2.6

Vector String

AV:N/AC:H/Au:N/C:P/I:N/A:N

Base Severity

Version

2.0

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality (C)

PARTIAL

Integrity (I)

NONE

Availability (A)

NONE

References

Weakness Type (CWE):CWE-200

CVSS Metrics

Base Score

2.6

Vector String

AV:N/AC:H/Au:N/C:P/I:N/A:N

Base Severity

Version

2.0

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality (C)

PARTIAL

Integrity (I)

NONE

Availability (A)

NONE